
FIGURE 1 



Receive at a first sensor the belief state of 
another sensor in the intrusion detection 
system. 



i 

Adjust a prior belief state of the first 
sensor, the adjustment based at least in 
part on the other sensor's belief state. 
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FIGURE 3 
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Identify a set of potentially similar features shared by a 
new alert and one or more existing alert classes. 
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Generate or update an expectation of similarity between 
the features of the new alert and the features of one or 
more existing alert classes. 
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Generate or update a minimum similarity requirement for 
the features of the new alert and the features of one or more 
existing alert classes 
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Perform a comparison between the new alert and the 
existing alert class(es). 




Associate the new alert 
with the existing alert 
class that it most closely 
matches. 



Define a new alert class to 
include the new alert. 
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FIGURE 4 
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Figure 5 



r 




EMERALD Development Project 
System Design Laboratory 



Observer Name: ISS RealSecure 
Observer Location: ntbox.emeraId.sri.com 
Observer Source: realtime 
Local Host Time: 01/02/01 13:03:52 PST 







Figure 6 




Figure 7 
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Figure 8 




Figure 9 



